With development of technologies, application of cloud computing becomes more popular, and a large quantity of applications need to be deployed to virtual resources provided by a cloud computing service, so as to reduce device costs and implement efficient operation and maintenance.
An application with a complex topological structure, such as a telecommunication service application, usually includes multiple functional modules, and each functional module is responsible for a respective expertise field. Information security requirements for the modules of the application are usually inconsistent. Therefore, during actual deployment, a user requires that the modules are deployed in different network security zones, and a firewall is configured between the security zones, so as to control cross-zone information traffic.
When such an application with a complex structure is deployed in a cloud computing environment, security zone division and cross-zone access permission configuration also need to be performed to meet an information security requirement.
Infrastructure as a service (IaaS) is a cloud computing service form that provides a virtual resource. As a service, the IaaS provides a virtual resource service capability for a tenant, and the tenant may obtain a virtual resource from the IaaS. The virtual resource is obtained by dividing, by using a virtualization technology, a physical resource into multiple independent parts that can be used by the tenant. These parts have all characteristics of the original physical resource that are effective to the user. These divided resources are “virtual resources”.
To ensure that each tenant uses the virtual resource without mutual interference, the IaaS performs resource isolation on a tenant basis. With tenant isolation, a tenant A can operate only a virtual resource of A by using an IaaS interface and cannot operate a virtual resource of another tenant.
The IaaS may provide a network resource for the tenant at the same time, and implement network access control by means of network resource configuration. The network resource is a virtual resource, such as a virtual switch, a virtual network, or a security group, that is generated and managed by the IaaS and that is used for network formation and control. For example, an OpenStack cloud computing management platform provides a security group. The security group may be configured with an inflow and outflow traffic control policy for a virtual machine (VM). Virtual machines in a same security group may access each other by using a network, and cross-security-group network access is constrained by the traffic control policy of the security group. Therefore, the tenant may implement security zone division by creating different security groups.
A virtual resource isolation mechanism is provided between tenants by the IaaS. Although VMs in different security groups of a same tenant can perform network resource traffic control, a VM in a security group of the same tenant may still invoke the IaaS interface by using a management network, to operate a virtual resource of another security group of the same tenant. Therefore, a security risk of IaaS virtual resource invocation exists.
In a cloud computing scenario, an application requires that not only network resource traffic control can be performed between security zones, but also virtual resource isolation can be performed.